From 8c1f088b19412fbb6d1822d73ba42b9682dce0ea Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Thu, 22 Sep 2022 21:26:26 +0100
Subject: [PATCH] Harden DMARC and SPF rules

Hopefully people still get my emails...
---
 terraform/jakehoward.tech.tf  | 6 +++---
 terraform/theorangeone.net.tf | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf
index cb29da7..4d9a3c2 100644
--- a/terraform/jakehoward.tech.tf
+++ b/terraform/jakehoward.tech.tf
@@ -23,7 +23,7 @@ resource "cloudflare_record" "jakehowardtech_mx2" {
 resource "cloudflare_record" "jakehowardtech_txt" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "@"
-  value   = "v=spf1 include:spf.messagingengine.com ~all"
+  value   = "v=spf1 include:spf.messagingengine.com -all"
   type    = "TXT"
   ttl     = 1
 }
@@ -55,7 +55,7 @@ resource "cloudflare_record" "jakehowardtech_dkim_fm3" {
 resource "cloudflare_record" "jakehowardtech_dmarc" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "_dmarc"
-  value   = "v=DMARC1; p=quarantine; rua=mailto:dmarc-report@jakehoward.tech;"
+  value   = "v=DMARC1; pct=100; p=quarantine; rua=mailto:dmarc-report@jakehoward.tech;"
   type    = "TXT"
   ttl     = 1
 }
@@ -167,7 +167,7 @@ resource "cloudflare_record" "jakehowardtech_auth" {
 resource "cloudflare_record" "jakehowardtech_mailgun_spf" {
   zone_id = cloudflare_zone.jakehowardtech.id
   name    = "mg"
-  value   = "v=spf1 include:mailgun.org ~all"
+  value   = "v=spf1 include:mailgun.org -all"
   type    = "TXT"
   ttl     = 1
 }
diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf
index 076744b..747eb17 100644
--- a/terraform/theorangeone.net.tf
+++ b/terraform/theorangeone.net.tf
@@ -47,7 +47,7 @@ resource "cloudflare_record" "theorangeonenet_mx2" {
 resource "cloudflare_record" "theorangeonenet_spf" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "@"
-  value   = "v=spf1 include:spf.messagingengine.com ~all"
+  value   = "v=spf1 include:spf.messagingengine.com -all"
   type    = "TXT"
   ttl     = 1
 }
@@ -79,7 +79,7 @@ resource "cloudflare_record" "theorangeonenet_dkim_fm3" {
 resource "cloudflare_record" "theorangeonenet_dmarc" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "_dmarc"
-  value   = "v=DMARC1; p=quarantine; rua=mailto:dmarc-report@jakehoward.tech;"
+  value   = "v=DMARC1; pct=100; p=quarantine; rua=mailto:dmarc-report@jakehoward.tech;"
   type    = "TXT"
   ttl     = 1
 }
@@ -232,7 +232,7 @@ resource "cloudflare_record" "theorangeonenet_commento" {
 resource "cloudflare_record" "theorangeonenet_mailgun_spf" {
   zone_id = cloudflare_zone.theorangeonenet.id
   name    = "mg"
-  value   = "v=spf1 include:mailgun.org ~all"
+  value   = "v=spf1 include:mailgun.org -all"
   type    = "TXT"
   ttl     = 1
 }